- 19 Oct, 2009 3 commits
-
-
Tomoki Sekiyama authored
I found a deadlock bug in UNIX domain socket, which makes able to DoS attack against the local machine by non-root users. How to reproduce: 1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct namespace(*), and shutdown(2) it. 2. Repeat connect(2)ing to the listening socket from the other sockets until the connection backlog is full-filled. 3. connect(2) takes the CPU forever. If every core is taken, the system hangs. PoC code: (Run as many times as cores on SMP machines.) int main(void) { int ret; int csd; int lsd; struct sockaddr_un sun; /* make an abstruct name address (*) */ memset(&sun, 0, sizeof(sun)); sun.sun_family = PF_UNIX; sprintf(&sun.sun_path[1], "%d", getpid()); /* create the listening socket and shutdown */ lsd = socket(AF_UNIX, SOCK_STREAM, 0); bind(lsd, (struct sockaddr *)&sun, sizeof(sun)); listen(lsd, 1); shutdown(lsd, SHUT_RDWR); /* connect loop */ alarm(15); /* forcely exit the loop after 15 sec */ for (;;) { csd = socket(AF_UNIX, SOCK_STREAM, 0); ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun)); if (-1 == ret) { perror("connect()"); break; } puts("Connection OK"); } return 0; } (*) Make sun_path[0] = 0 to use the abstruct namespace. If a file-based socket is used, the system doesn't deadlock because of context switches in the file system layer. Why this happens: Error checks between unix_socket_connect() and unix_wait_for_peer() are inconsistent. The former calls the latter to wait until the backlog is processed. Despite the latter returns without doing anything when the socket is shutdown, the former doesn't check the shutdown state and just retries calling the latter forever. Patch: The patch below adds shutdown check into unix_socket_connect(), so connect(2) to the shutdown socket will return -ECONREFUSED. Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com> Signed-off-by: Masanori Yoshida <masanori.yoshida.tv@hitachi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Thomas Chou authored
This patch fixed the problem of dropped packets due to lost of interrupt requests. We should only clear what was pending at the moment we read the irq source reg. Signed-off-by: Thomas Chou <thomas@wytron.com.tw> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Thomas Chou authored
Signed-off-by: Thomas Chou <thomas@wytron.com.tw> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 17 Oct, 2009 1 commit
-
-
Randy Dunlap authored
vmxnet3 was using dprintk() for debugging output. This was defined in <linux/dst.h> and was the only thing that was used from that header file. This caused compile errors when CONFIG_BLOCK was not enabled due to bio* and BIO* uses in the header file, so change this driver to use dev_dbg() for debugging output. include/linux/dst.h:520: error: dereferencing pointer to incomplete type include/linux/dst.h:520: error: 'BIO_POOL_BITS' undeclared (first use in this function) include/linux/dst.h:521: error: dereferencing pointer to incomplete type include/linux/dst.h:522: error: dereferencing pointer to incomplete type include/linux/dst.h:525: error: dereferencing pointer to incomplete type make[4]: *** [drivers/net/vmxnet3/vmxnet3_drv.o] Error 1 Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Bhavesh Davda <bhavesh@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 15 Oct, 2009 4 commits
-
-
Eric Dumazet authored
Because netpoll can call netdevice start_xmit() method with irqs disabled, drivers should not call kfree_skb() from their start_xmit(), but use dev_kfree_skb_any() instead. Oct 8 11:16:52 172.30.1.31 [113074.791813] ------------[ cut here ]------------ Oct 8 11:16:52 172.30.1.31 [113074.791813] WARNING: at net/core/skbuff.c:398 \ skb_release_head_state+0x64/0xc8() Oct 8 11:16:52 172.30.1.31 [113074.791813] Hardware name: Oct 8 11:16:52 172.30.1.31 [113074.791813] Modules linked in: netconsole ocfs2 jbd2 quota_tree \ ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs crc32c drbd cn loop \ serio_raw psmouse snd_pcm snd_timer snd soundcore snd_page_alloc virtio_net pcspkr parport_pc parport \ i2c_piix4 i2c_core button processor evdev ext3 jbd mbcache dm_mirror dm_region_hash dm_log dm_snapshot \ dm_mod ide_cd_mod cdrom ata_generic ata_piix virtio_blk libata scsi_mod piix ide_pci_generic ide_core \ virtio_pci virtio_ring virtio floppy thermal fan thermal_sys [last unloaded: netconsole] Oct 8 11:16:52 172.30.1.31 [113074.791813] Pid: 11132, comm: php5-cgi Tainted: G W \ 2.6.31.2-vserver #1 Oct 8 11:16:52 172.30.1.31 [113074.791813] Call Trace: Oct 8 11:16:52 172.30.1.31 [113074.791813] <IRQ> [<ffffffff81253cd5>] ? \ skb_release_head_state+0x64/0xc8 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81253cd5>] ? skb_release_head_state+0x64/0xc8 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81049ae1>] ? warn_slowpath_common+0x77/0xa3 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81253cd5>] ? skb_release_head_state+0x64/0xc8 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81253a1a>] ? __kfree_skb+0x9/0x7d Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffffa01cb139>] ? free_old_xmit_skbs+0x51/0x6e \ [virtio_net] Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffffa01cbc85>] ? start_xmit+0x26/0xf2 [virtio_net] Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8126934f>] ? netpoll_send_skb+0xd2/0x205 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffffa0429216>] ? write_msg+0x90/0xeb [netconsole] Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81049f06>] ? __call_console_drivers+0x5e/0x6f Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8102b49d>] ? kvm_clock_read+0x4d/0x52 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8104a082>] ? release_console_sem+0x115/0x1ba Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8104a632>] ? vprintk+0x2f2/0x34b Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8106b142>] ? vx_update_load+0x18/0x13e Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81308309>] ? printk+0x4e/0x5d Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff8102b49d>] ? kvm_clock_read+0x4d/0x52 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81070b62>] ? getnstimeofday+0x55/0xaf Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81062683>] ? ktime_get_ts+0x21/0x49 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff810626b7>] ? ktime_get+0xc/0x41 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81062788>] ? hrtimer_interrupt+0x9c/0x146 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81024a4b>] ? smp_apic_timer_interrupt+0x80/0x93 Oct 8 11:16:52 172.30.1.31 [113074.791813] [<ffffffff81011663>] ? apic_timer_interrupt+0x13/0x20 Oct 8 11:16:52 172.30.1.31 [113074.791813] <EOI> [<ffffffff8130a9eb>] ? _spin_unlock_irq+0xd/0x31 Reported-and-tested-by: Massimo Cetra <mcetra@navynet.it> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Bug-Entry: http://bugzilla.kernel.org/show_bug.cgi?id=14378Signed-off-by: David S. Miller <davem@davemloft.net>
-
Sathya Perla authored
Before issuing any cmds to the FW, the driver must first wait till the fW becomes ready. This is needed for PCI hot plug when the driver can be probed while the card fw is being initialized. Signed-off-by: Sathya Perla <sathyap@serverengines.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Sathya Perla authored
Signed-off-by: Sathya Perla <sathyap@serverengines.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Randy Dunlap authored
vmxnet3 uses in_dev* interfaces so it should depend on INET. Also fix so that the driver builds when CONFIG_PCI_MSI is disabled. vmxnet3_drv.c:(.text+0x2a88cb): undefined reference to `in_dev_finish_destroy' drivers/net/vmxnet3/vmxnet3_drv.c:1335: error: 'struct vmxnet3_intr' has no member named 'msix_entries' drivers/net/vmxnet3/vmxnet3_drv.c:1384: error: 'struct vmxnet3_intr' has no member named 'msix_entries' drivers/net/vmxnet3/vmxnet3_drv.c:2137: error: 'struct vmxnet3_intr' has no member named 'msix_entries' drivers/net/vmxnet3/vmxnet3_drv.c:2138: error: 'struct vmxnet3_intr' has no member named 'msix_entries' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Bhavesh davda <bhavesh@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 14 Oct, 2009 4 commits
-
-
Giuseppe Cavallaro authored
This is the driver for the ST MAC 10/100/1000 on-chip Ethernet controllers (Synopsys IP blocks). Driver documentation: o http://stlinux.com/drupal/kernel/network/stmmac Revisions: o http://stlinux.com/drupal/kernel/network/stmmac-driver-revisions Performances: o http://stlinux.com/drupal/benchmarks/networking/stmmacSigned-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Randy Dunlap authored
From: Randy Dunlap <randy.dunlap@oracle.com> ks8851_mll uses mii interfaces so it needs to select MII. ks8851_mll.c:(.text+0xf95ac): undefined reference to `generic_mii_ioctl' ks8851_mll.c:(.text+0xf96a0): undefined reference to `mii_ethtool_gset' ks8851_mll.c:(.text+0xf96fa): undefined reference to `mii_ethtool_sset' ks8851_mll.c:(.text+0xf9754): undefined reference to `mii_link_ok' ks8851_mll.c:(.text+0xf97ae): undefined reference to `mii_nway_restart' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
John Bonesio authored
The MDIO bus cannot be accessed at interrupt context, but on an FEC error, the fec_mpc52xx driver reset function also tries to reset the PHY. Since the error is detected at IRQ context, and the PHY functions try to sleep, the kernel ends up panicking. Resetting the PHY on an FEC error isn't even necessary. This patch solves the problem by removing the PHY reset entirely. Signed-off-by: John Bonesio <bones@secretlab.ca> Signed-off-by: Grant Likely <grant.likely@secretlab.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Anton Vorontsov authored
Some OF platform drivers are missing module device tables, so they won't load automatically on boot. This patch fixes the issue by adding proper MODULE_DEVICE_TABLE() macros to the drivers. Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 13 Oct, 2009 14 commits
-
-
Sriram authored
The mechanism to clear the statistics register is dependent on the status of GMIIEN bit in MAC control register. If the GMIIEN bit is set, the stats registers are write to decrement. If the GMIIEN bit is cleared, the stats registers are plain read/write registers. The stats register clearing operation must take into account the current state of GMIIEN as it can be cleared when the interface is brought down. With existing implementation logic, querying for interface stats when the interface is down, can corrupt the statistics counters. This patch examines the GMIIEN bit status in MAC_CONTROL register before choosing an appropriate mask for clearing stats registers. Signed-off-by: Sriramakrishnan <srk@ti.com> Acked-by: Chaithrika U S <chaithrika@ti.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
françois romieu authored
Extracted from Realtek's 8.012.00 r8168 driver. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Tested-by: Simon Farnsworth <simon.farnsworth@onelan.com> Cc: Edward Hsu <edward_hsu@realtek.com.tw> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dmitry Artamonow authored
Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
udp_poll() can in some circumstances drop frames with incorrect checksums. Problem is we now have to lock the socket while dropping frames, or risk sk_forward corruption. This bug is present since commit 95766fff ([UDP]: Add memory accounting.) While we are at it, we can correct ioctl(SIOCINQ) to also drop bad frames. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Krzysztof Halasa authored
Cisco HDLC uses keepalive packets and sequence numbers to determine link state. In rare cases both ends could transmit keepalive packets at the same time, causing the received sequence numbers to be treated as incorrect. Now we accept our current sequence number as well as the previous one. Signed-off-by: Krzysztof Hałasa <khc@pm.waw.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Willy Tarreau authored
I was trying to use TCP_DEFER_ACCEPT and noticed that if the client does not talk, the connection is never accepted and remains in SYN_RECV state until the retransmits expire, where it finally is deleted. This is bad when some firewall such as netfilter sits between the client and the server because the firewall sees the connection in ESTABLISHED state while the server will finally silently drop it without sending an RST. This behaviour contradicts the man page which says it should wait only for some time : TCP_DEFER_ACCEPT (since Linux 2.4) Allows a listener to be awakened only when data arrives on the socket. Takes an integer value (seconds), this can bound the maximum number of attempts TCP will make to complete the connection. This option should not be used in code intended to be portable. Also, looking at ipv4/tcp.c, a retransmit counter is correctly computed : case TCP_DEFER_ACCEPT: icsk->icsk_accept_queue.rskq_defer_accept = 0; if (val > 0) { /* Translate value in seconds to number of * retransmits */ while (icsk->icsk_accept_queue.rskq_defer_accept < 32 && val > ((TCP_TIMEOUT_INIT / HZ) << icsk->icsk_accept_queue.rskq_defer_accept)) icsk->icsk_accept_queue.rskq_defer_accept++; icsk->icsk_accept_queue.rskq_defer_accept++; } break; ==> rskq_defer_accept is used as a counter of retransmits. But in tcp_minisocks.c, this counter is only checked. And in fact, I have found no location which updates it. So I think that what was intended was to decrease it in tcp_minisocks whenever it is checked, which the trivial patch below does. Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ken Kawasaki authored
3c574_cs: spin_lock the set_multicast_list function. Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Chris Rankin authored
The Belkin F8T012xx1 bluetooth adaptor has the same vendor and product IDs as the Belkin F5D5050, so we need to teach the pegasus driver to ignore adaptors belonging to the "Wireless" class 0xE0. For this one case anyway, seeing as pegasus is a driver for "Wired" adaptors. Signed-off-by: Chris Rankin <rankincj@yahoo.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dhananjay Phadke authored
Use resource_size_t for PCI resource remapping instead of unsigned long. Physical addresses can exceed range of long data type (e.g with PAE). Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alan Cox authored
drivers/net/ethoc.c: In function ‘ethoc_open’: drivers/net/ethoc.c:667: warning: comparison of distinct pointer types lacks a cast Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alan Cox authored
drivers/net/wireless/libertas/cmdresp.c: In function ‘lbs_process_event’: drivers/net/wireless/libertas/cmdresp.c:519: error: ‘TASK_INTERRUPTIBLE’ undeclared (first use in this function) drivers/net/wireless/libertas/cmdresp.c:519: error: (Each undeclared identifier is reported only once drivers/net/wireless/libertas/cmdresp.c:519: error: for each function it appears in.) Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shreyas Bhatewara authored
Ethernet NIC driver for VMware's vmxnet3 From: Shreyas Bhatewara <sbhatewara@vmware.com> This patch adds driver support for VMware's virtual Ethernet NIC: vmxnet3 Guests running on VMware hypervisors supporting vmxnet3 device will thus have access to improved network functionalities and performance. Signed-off-by: Shreyas Bhatewara <sbhatewara@vmware.com> Signed-off-by: Bhavesh Davda <bhavesh@vmware.com> Signed-off-by: Ronghua Zhang <ronghua@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vincent Sanders authored
The IXP 2000 network driver was failing to build as it has its own statistics gathering which was not compatible with the recent network device operations changes. This patch fixes the driver in the obvious way and has been compile tested. I have been unable to get the ixp2000 maintainer to comment or test this fix. Signed-off-by: Vincent Sanders <vince@simtec.co.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 12 Oct, 2009 10 commits
-
-
Alan Cox authored
drivers/net/wireless/libertas/cmdresp.c: In function ‘lbs_process_event’: drivers/net/wireless/libertas/cmdresp.c:519: error: ‘TASK_INTERRUPTIBLE’ undeclared (first use in this function) drivers/net/wireless/libertas/cmdresp.c:519: error: (Each undeclared identifier is reported only once drivers/net/wireless/libertas/cmdresp.c:519: error: for each function it appears in.) Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
ieee80211_rx() must be called with softirqs disabled since the networking stack requires this for netif_rx() and some code in mac80211 can assume that it can not be processing its own tasklet and this call at the same time. It may be possible to remove this requirement after a careful audit of mac80211 and doing any needed locking improvements in it along with disabling softirqs around netif_rx(). An alternative might be to push all packet processing to process context in mac80211, instead of to the tasklet, and add other synchronisation. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
Due to the way it interacts with the networking stack and other parts of mac80211, ieee80211_rx() must be called with disabled softirqs. [1] http://thread.gmane.org/gmane.linux.kernel.wireless.general/39440/focus=40266Reported-by: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
When a scan completes, we call ieee80211_sta_find_ibss(), which is also called from other places. When the scan was done in software, there's no problem as both run from the single-threaded mac80211 workqueue and are thus serialised against each other, but with hardware scan the completion can be in a different context and race against callers of this function from the workqueue (e.g. due to beacon RX). So instead of calling ieee80211_sta_find_ibss() directly, just arm the timer and have it fire, scheduling the work, which will invoke ieee80211_sta_find_ibss() (if that is appropriate in the current state). Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Felix Fietkau authored
Signed-off-by: Felix Fietkau <nbd@openwrt.org> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Wey-Yi Guy authored
Need to free the dynamic allocated memory before ieee80211_free_hw(); once call ieee80211_free_hw(), should not reference to "priv" data structure. Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Ben Hutchings authored
If ace_load_firmware() fails, ace_init() cleans up but still returns 0, leading to an oops as seen in <http://bugs.debian.org/521383>. It should pass the error code up. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Since commit a98b65a3 (net: annotate struct sock bitfield), we lost 8 bytes in struct sock on 64bit arches because of kmemcheck_bitfield_end(flags) misplacement. Fix this by putting together sk_shutdown, sk_no_check, sk_userlocks, sk_protocol and sk_type in the 'flags' 32bits bitfield Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
jamal authored
This probably deserves to go into -stable. Pedit will reject a policy that is large because it uses the wrong structure in the policy validation. This fixes it. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 09 Oct, 2009 4 commits
-
-
David S. Miller authored
We need PHY drivers to initialize in a static kernel before the MAC drivers that use them. So link them in first. Based upon a report by Felix Radensky. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dave Mitchell authored
Some of the EMAC V4 implementations support 16K Tx FIFOs. This patch adds support for this functionality and fixes typos in the Tx FIFO size error messages. Signed-off-by: Dave Mitchell <dmitchell@appliedmicro.com> Acked-by: Prodyut Hazarika <phazarika@appliedmicro.com> Acked-by: Victor Gallardo <vgallardo@appliedmicro.com> Acked-by: Loc Ho <lho@appliedmicro.com> Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ron Mercer authored
This was accidentally omitted from one of the previous patches for firmware event handling. The handler needs to the enable firmware irq mask when it's done processing or it may not get any more events interrupts. Signed-off-by: Ron Mercer <ron.mercer@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ron Mercer authored
Call set_multi API after reset recovery. This was exposed by tripping tx_timeout. Signed-off-by: Ron Mercer <ron.mercer@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-